The Only Thing Surprising About The Crippling Ransomware Attack On A Major US Fuel Pipeline Is That Anyone Is Surprised That The Attack Succeeded

Colonial Pipeline, which operates a 5,500-mile system that transports nearly 45% of the fuel consumed on the East Coast of the United States, shut down on Friday critical portions of its fuel distribution network in response to a crippling ransomware attack that devastated the American fuel pipeline operator; since then, fuel prices have creeped up across the United States, and 17 US States and Washington DC have declared states of emergency.

Despite some media reports portraying the Colonial breach as some sort of advanced attack involving devious planning or nation/state cyberterrorism, the hacking appears to have been quite elementary, likely achieved by exploiting human vulnerabilities created by the sudden transition to remote management necessitated by the COVID-19 pandemic, coupled with the failure of organizations to properly prepare for any such eventuality. While politicians may seek to deflect blame to outsiders rather than acknowledge our own collective cyber-incompetence, it seems far more likely that the criminals simply wanted to make money than to cripple the US economy or engage in cyber-terrorism.

Warnings about vulnerabilities in fuel production and delivery infrastructure  are not new – I remember both myself and other speakers at a Gartner security summit 18 years ago in Washington discussing the matter with members of our audience after a panel about the security of American energy infrastructure; all involved believed that not only did a problem already exist, but that the danger would grow worse with time as an increasing number of SCADA (Supervisory Control And Data Acquisition) and other management systems were directly or indirectly connected to the Internet. Over the ensuing years, experts have repeatedly pointed out that not only were many of the technology systems being deployed to improve the efficiency of fuel distribution infrastructure management introducing dangerous vulnerabilities, but that a cyber-attack against the operator of a fuel pipeline was eventually going to both occur and succeed.

In 2018, we learned that hackers had disrupted various communications systems used by American natural gas pipeline companies by breaching the third-party operators of those systems; while those attacks did not disrupt gas supplies, they did cause reporting problems and billing delays. And, just before the COVID-19 pandemic hit the United States,  the Department of Homeland Security alerted information security professionals that a ransomware attack delivered via phishing emails had adversely impacted operations at one of the country’s natural gas processors.

Nor were those isolated incidents.

Almost a decade ago, cyber-attackers compromised 35,000 computers at Saudi Arabia’s state owned Aramco, the world’s largest exporter of crude oil. In late 2016, hackers, perhaps acting on behalf of the Russian government, utilized multiple pieces of malware to both knock out power to large segments of Ukraine and to simultaneously disable the phone communications capabilities of the impacted power providers, thereby complicating recovery efforts. Less than 3 years later, hackers attacked Pemex, a multi-billion-dollar Mexican oil company, and demanded a $5-million ransom –when the company did not pay the ransom, it suffered several weeks of technical problems.

Providers of utilities and fuel infrastructure, like the rest of us, suffer from what I sometimes term the “Chocolate Cookie Addiction” to technology – the improved convenience and other immediately-enjoyed benefits provided by new technologies appear so attractive that we often ignore dangerous longer-term side effects that, deep down, we know exist.

While some experts have suggested that the federal government can easily address our nation’s terrible state of cyber-vulnerability by issuing stricter, detailed cybersecurity mandates – such mandates can easily backfire, and, sometimes, not only improve security, but actually undermine it (for reasons which I have explained in the past, and will address again soon in another article).

In the end, what we truly need is to change our attitude; we must both treat security with the importance that it deserves, as well as stop seeking to blame the success of simplistic attacks on advanced foreign actors; we must stop inventing excuses for our own national cyber-incompetence. Hopefully, the Colonial breach will serve as a wake up call – because, unless we change our societal attitude, increasingly dangerous incidents that make the Colonial breach look like child’s play will certainly occur in the future.